Systems and methods for connection management

ABSTRACT

Methods and systems are described for managing connections between client devices and servers. A client device may establish a connection with a connection manager device. The client device may request to establish a connection with a server. The connection manager may determine whether a user of the client device has user privileges to access the server. The connection manager may determine whether the user is a member of a group that has privileges to access the server. The connection manager may retrieve user or group credentials for accessing the server. The connection manager may establish a connection with the server. The connection manager may coordinate communications between the client device and the server. The connection manager may record the communications between the client device and the server.

CROSS-REFERENCE

The present application claims priority to European Patent ApplicationNo. 18315038.2, entitled “SYSTEMS AND METHODS FOR CONNECTIONMANAGEMENT,” filed on Nov. 12, 2018, the entirety of which isincorporated herein by reference.

FIELD

Embodiments described herein relate generally to systems and methods formanaging connections, and more particularly, to systems and methods forestablishing and/or monitoring connections between users and servers.

BACKGROUND

Users may connect to servers to perform various commands on the servers,such as to access services provided by the servers. For security andother reasons, access to a server may be controlled. To access a server,a user may authenticate with the server. Various methods may be used toauthenticate the user, such as public key authentication, a username andpassword, or other methods of authentication.

When a user has access to multiple servers, each server may store a keycorresponding to the user. Each individual server may store many keys,one key for each of the users having access to that server. As thenumber of network administrators grows, managing this growing volume ofkeys may be overly complex and time consuming. For example, when auser's access rights are revoked, the user's key should be removed fromeach server that the user previously had access to. Additionally,whenever a new user is given access rights to servers, a key for theuser must be placed on each of the servers. It may be desirable to moreefficiently manage the distribution of keys.

A network operator may wish to perform various audits relating tonetwork security, such as determining which servers each user has accessto and/or determining what operations users have performed on servers.It may be difficult to determine which servers each user of the networkhas access to. Connections between the user and the server may beencrypted. Because the connections are encrypted, it may be difficult torecord information about which users are accessing which servers, andthe contents of communications between the users and the servers. It maybe desirable to log information regarding the connections, such asinformation indicating which user's are accessing which servers. It mayalso be desirable to record the communications that occur between usersand servers.

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized in the priorart. The subject matter in the background section merely representsdifferent approaches.

SUMMARY

The following summary is for illustrative purposes only, and is notintended to limit or constrain the detailed description. The followingsummary merely presents various described aspects in a simplified formas a prelude to the more detailed description provided below.

An intermediate device, which is referred to herein as a connectionmanager, may be used to manage and/or establish connections betweenclient devices, which are accessed by users, and servers or othernetwork devices that the users request to access. The client device mayestablish a connection with the connection manager. The connectionmanager may authenticate the client device, such as by using public keyauthentication, which may be referred to as public key cryptography. Thepublic key authentication may be performed using the secure shell (SSH)protocol. To perform public key authentication, one party may hold aprivate key that allows communications encrypted with a correspondingpublic key to be decrypted.

A client device may request to access a server. The client device maytransmit the request to the connection manager. The connection managermay determine whether the client device is authorized to access therequested server. If the client device is authorized to access therequested server, the connection manager may retrieve a keycorresponding to the requested server.

After retrieving the key corresponding to the requested server, theconnection manager may establish a connection between the connectionmanager and the requested server. The connection manager may indicate,to the client device, that a connection has been established between theconnection manager and the requested server. The connection manager mayreceive communications from the client device and forward thosecommunications to the requested server, and/or the connection managermay receive communications from the requested server and forward thosecommunications to the client device.

The connection manager may record the communications between the clientdevice and the requested server. The connection manager may store therecorded communications. The connection manager may record informationabout each connection, such as an indication of the client device, user,server, time that the connection was established, length of theconnection, and/or other information regarding the connection.

The connection manager may comprise information regarding groups. Eachgroup may have access to one or more servers. The connection manager mayreceive a request from a client device to modify information regarding agroup, such as which users are in the group, which servers the group hasaccess to, the roles of users within the group, or other informationregarding the group. The connection manager may determine whether theuser accessing the client device has sufficient privileges to performthe requested modification. After confirming that the user hassufficient privileges to perform the modification to the group, theconnection manager may modify the group.

In one aspect, various implementations of the present technology mayprovide a method comprising: receiving, from a client device, a requestto establish a connection with a server, wherein the request indicates auser of the client device; authenticating, using a public keycorresponding to the client device, the user; determining whether theuser has privileges to access the server; after determining that theuser is authorized to access the server, retrieving a private keycorresponding to the server; establishing, using the private key, aconnection to the server; coordinating communications between the clientdevice and the server; and recording the communications between theclient device and the server.

In the context of the present specification, unless expressly providedotherwise, a computer system may refer, but is not limited to, an“electronic device,” an “operation system,” a “system,” a“computer-based system,” a “controller unit,” a “monitoring device,” a“control device,” a “network device,” and/or any combination thereofappropriate to the relevant task at hand.

In the context of the present specification, unless expressly providedotherwise, the expression “computer-readable medium” and “memory” areintended to include media of any nature and kind whatsoever,non-limiting examples of which include RAM, ROM, disks (CD-ROMs, DVDs,floppy disks, hard disk drives, etc.), USB keys, flash memory cards,solid state-drives, and/or tape drives. Still in the context of thepresent specification, “a” computer-readable medium and “the”computer-readable medium should not be construed as being the samecomputer-readable medium. To the contrary, and whenever appropriate, “a”computer-readable medium and “the” computer-readable medium may also beconstrued as a first computer-readable medium and a secondcomputer-readable medium.

In the context of the present specification, unless expressly providedotherwise, the words “first,” “second,” “third,” etc. have been used asadjectives only for the purpose of allowing for distinction between thenouns that they modify from one another, and not for the purpose ofdescribing any particular relationship between those nouns.

Implementations of the present technology each may have at least one ofthe above-mentioned object and/or aspects, but do not necessarily haveall of them. It should be understood that some aspects of the presenttechnology that have resulted from attempting to attain theabove-mentioned object may not satisfy this object and/or may satisfyother objects not specifically recited herein.

Additional and/or alternative features, aspects and advantages ofimplementations of the present technology will become apparent from thefollowing description, the accompanying drawings and the appendedclaims.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects, and advantages of the presentdisclosure will become better understood with regard to the followingdescription, claims, and drawings. The present disclosure is illustratedby way of example, and not limited by, the accompanying figures in whichlike numerals indicate similar elements.

FIG. 1 shows an example computing system that may be used to implementany of the methods described herein.

FIG. 2 shows an example of devices communicating via a connectionmanager according to one or more illustrative aspects of the disclosure.

FIG. 3 shows an example of a connection manager device according to oneor more illustrative aspects of the disclosure.

FIGS. 4A-C are a flow diagram of a method for establishing a connectionbetween a client device and a server according to one or moreillustrative aspects of the disclosure.

FIG. 5 is a flow diagram of a method for configuring a server accordingto one or more illustrative aspects of the disclosure.

FIG. 6 shows an example of group roles according to one or moreillustrative aspects of the disclosure.

FIGS. 7A and 7B are a flow diagram of a method for modifying accessrights according to one or more illustrative aspects of the disclosure.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which are shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuralor functional modifications may be made, without departing from thescope of the present disclosure.

Users accessing client devices may wish to establish securecommunication sessions with servers. Although referred to herein asservers, client devices may establish communication sessions with othertypes of network devices, such as routers or switches. In order toestablish the communication session, the client device may authenticatewith the server. The client device may then perform various commands onthe server. In this way, the user can access services provided by theserver.

In order for a user to access a group of servers, private and public keypairs may be placed on each client device of the user and each serverthat the user is permitted to access. This may be a cumbersome processwhen users are frequently being added to or removed from the network.Each time a user is added, private and public key pairs may be generatedfor each client device used by the user and each server accessible tothe user. A public key may be placed on each of the servers accessibleto the user. Each time a user is removed, a public key corresponding tothe user may be removed from each server that the user had access to.

A network operator may wish to perform various audits of a network, suchas determining a list of every user with access privileges to thenetwork, and a list of servers that each user has access to. A scan maybe performed of each server on the network, to determine which keys arestored on the servers. Then, a list of users that have access to each ofthe servers may be generated. This scan may be time-consuming toperform.

A network operator may wish to control access to servers and otherdevices, to perform audits on the network, and/or to monitorcommunication sessions between client devices and servers. Anintermediate device, such as a connection manager, may coordinatecommunications between client devices and servers. The connectionmanager may facilitate controlling access to servers. The connectionmanager may more efficiently perform network audits. The connectionmanager may record communications sessions between client devices andservers. The connection manager may authenticate client devices,establish sessions with servers, log connections, and/or record datatransmitted between client devices and servers.

The connection manager may comprise user and group data that indicatewhich groups each user is a member of and the roles of each memberwithin the groups. The user and group data may indicate which serverkeys a user has access to, either through their own access rights orthrough group membership.

In order to increase security, the operating system of the connectionmanager may restrict access to the server keys. The operating system maycomprise a definition of which users and groups can access which keys.The operating system may restrict access to the keys based on thesedefinitions. Thus in order to access a key a user may pass through twoverifications, a first verification performed by software executing onthe connection manager, and a second verification performed by theoperating system of the connection manager. Even if an intruder is ableto modify the software executing on the connection manager, theoperating system of the connection manager may prevent unauthorizedaccess to server keys. This may decrease the possibility that anunauthorized intruder, such as a hacker, would be able to gain access toany servers. This may also decrease the possibility that an authorizeduser would be able to gain access to a server that the authorized useris not permitted to access.

FIG. 1 illustrates a diagram of a computing environment 100 inaccordance with an embodiment of the present technology. In someembodiments, the computing environment 100 may be implemented by any ofa conventional personal computer, a server, a router, a switch, acontroller, and/or an electronic device (such as, but not limited to, amobile device, a tablet device, a server, a controller unit, a controldevice, a monitoring device etc.) and/or any combination thereofappropriate to the relevant task at hand. In some embodiments, thecomputing environment 100 comprises various hardware componentsincluding one or more single or multi-core processors collectivelyrepresented by a processor 110, a solid-state drive 120, a memorydevice, for example a random access memory 130, and an input/outputinterface 150. The computing environment 100 may be a computerspecifically designed for operating in a data center environment. Thecomputing environment 100 may be a generic computer system.

In some embodiments, the computing environment 100 may also be asub-system of one of the above-listed systems. In some embodiments, thecomputing environment 100 may be an “off the shelf” generic computersystem. In some embodiments, the computing environment 100 may bedistributed amongst multiple systems. The computing environment 100 maybe specifically dedicated to the implementation of the presenttechnology. As a person in the art of the present technology mayappreciate, multiple variations as to how the computing environment 100is implemented may be envisioned without departing from the scope of thepresent technology.

Communication between the various components of the computingenvironment 100 may be enabled by one or more internal and/or externalbuses 160 (e.g. a PCI bus, universal serial bus, IEEE 1394 “Firewire”bus, SCSI bus, Serial-ATA bus, ARINC bus, etc.), to which the varioushardware components are electronically coupled.

The input/output interface 150 may provide networking capabilities suchas wired or wireless access. As an example, the input/output interface150 may comprise a networking interface such as, but not limited to, oneor more network ports, one or more network sockets, one or more networkinterface controllers and the like. Multiple examples of how thenetworking interface may be implemented will become apparent to theperson skilled in the art of the present technology. For example, butwithout being limitative, the networking interface may implementspecific physical layer and data link layer standard such as Ethernet,Fibre Channel, Wi-Fi, or Token Ring. The specific physical layer and thedata link layer may provide a base for a full network protocol stack,allowing communication among small groups of computers on the same localarea network (LAN) and large-scale network communications throughroutable protocols, such as Internet Protocol (IP).

According to implementations of the present technology, the solid-statedrive 120 stores program instructions suitable for being loaded into therandom access memory 130 and executed by the processor 110. For example,the program instructions may be part of a library or an application.Although illustrated as a solid-state drive 120, any type of memory maybe used in place of the solid-state drive 120, such as a hard disk,optical disk, and/or removable storage media.

FIG. 2 shows an example of devices communicating via a connectionmanager according to one or more illustrative aspects of the disclosure.The users 201-03 may use client device 210-13 to access servers 260-62via the connection manager 250. The user 201 may use client devices 210or 211 to connect to the connection manager 250. The users 202 and 203may use the client devices 212 and 213, respectively, to connect to theconnection manager 250.

The users 201-03 may authenticate with their respective client devices210-13. The users 201-03 may enter a username and password, perform abiometric authentication, use a physical device to authenticate, and/oruse any other authentication method to authenticate with the clientdevices 210-13. For example fingerprint recognition, facial recognition,a retinal scan, two-factor authentication, and/or a YubiKey may be usedto authenticate the users 201-03 with the client devices 210-13. Itshould be understood that in some configurations a user 201-03 mayaccess a client device 210-13 without authenticating with the clientdevice 210-13. A user 201-03 might not authenticate with the clientdevice 210-13 each time the user 201-03 accesses the client device210-13. For example a user may authenticate with one of the clientdevice 210-13, and that authentication may be valid for 30 days. Inanother example, if a user 201-03 is accessing the client device 210-13on a known network, authentication might not be requested. Whereas, inthis example, if the user 201-03 is accessing the client device 210-13on an unknown network, authentication may be requested.

After a user 201-03 has authenticated with one of the client devices210-13, the user 201-03 may request access to one of the servers 260-62.The user 201-03 may use a terminal on the client device 210-13, such asan SSH terminal, to request a connection with one of the servers 260-62.The request may be transmitted from one of the client devices 210-13 tothe connection manager 250.

After receiving a request from one of the client devices 210-13, theconnection manager 250 may authenticate the user 201-03 accessing theclient device 210-13. The connection manager may use public keyauthentication to authenticate the user 201-03. Private keyscorresponding to the users 201-03 may be stored on their respectiveclient devices 210-13. Each user may have multiple associated privatekeys. A first private key corresponding to the user 201 may be stored onthe client device 210, and a second private key corresponding to theuser 201 may be stored on the client device 211. Alternatively, the sameprivate key corresponding to the user 201 may be stored on both clientdevices 210 and 211. If different private keys are stored by the clientdevices 210 and 211, then two different public keys, each correspondingto one of the private keys, may be stored on the connection manager 250.

After a client device 210-13 requests access to the connection manager250, the connection manager 250 may retrieve a public key correspondingto the user 201-03 and/or the client device 210-13 requesting access.The public key may then be used to authenticate the requesting clientdevice 210-13 through public key authentication. One or more messages,which may be encrypted messages, may be transmitted between theconnection manager 205 and the requesting client device 210-13 toperform the public key authentication. An SSH session may be openedbetween the requesting client device 210-13 and the connection manager250.

Other authentication methods may be used to authenticate the requestingclient device 210-13 with the connection manager 250. For example, ausername and/or password combination corresponding to the user 201-03may be used to authenticate the requesting client device 210-13 with theconnection manager 250, such as in HTTPS authentication.

After the connection manager 250 has authenticated the requesting clientdevice 210-13, the connection manager 250 may determine the accessrights of the user 201-03. A database, or other data storage structure,may be queried to determine which servers 260-62 the user 201-03 hasaccess to. A level of access may also be determined for the user 201-03,such as whether the user has root access or some other level of accessto the server 260-62. If the user has access to the requested server260-62, a private key of the user may be retrieved by the connectionmanager 250.

The user 201-03 may be a member of one or more groups. The connectionmanager 250 may query a database, or other data storage structure, todetermine which groups the user 201-03 is a member of. If any of thegroups has access to the requested server 260-62, the private keyscorresponding to those groups and the requested server may be retrieved.

After retrieving one or more personal private keys and/or group privatekeys, the connection manager 250 may establish a connection with therequested server 260-62. The connection may be an SSH connection. Publickey authentication may be used to authenticate the connection manager250 with the requested server 260-62. Although described above as usingpublic key authentication, it should be understood that otherauthentication methods may be used. For example, rather than retrievingone or more private keys, one or more username and password combinationsmay be retrieved, and a connection may be established between theconnection manager 250 and the requested server 260-62 using theusername and password. Data transmitted between the connection manager50 and requested server 260-62 may be encrypted.

The requesting client device 210-13 may be able to use the private keyfor connection to the requested server 260-62 via the connection manager250, but might not be able to extract the key from the connectionmanager 250. The requesting client device 210-13 might not be permittedto retrieve the key from the connection manager 250. Rather, each timethe requesting client device 210-13 wishes to connect to the requestedserver 260-62, the requesting client device 210-13 may connect via theconnection manager 250. Various security features of the connectionmanager 250 may be configurable. A connection manager 250 used in adevelopment environment may be operated with some deactivated securityfeatures.

After the connection manager 250 has established a connection with therequested server 260-62, the connection manager 250 may transmit anindication, to the requesting client device 210-13, that the connectionhas been established. The connection manager 250 may coordinatecommunications between the requesting client device 210-13 and therequested server 260-62.

The connection manager 250 may link the two connections. Communicationsreceived from the requesting client device 210-13 may be received anddecrypted by the connection manager 250. The connection manager 250 maythen encrypt the decrypted data and transmit the encrypted data to therequested server 260-62. Communications received by the connectionmanager from the requested server 260-62 may be decrypted by theconnection manager 250. The connection manager 250 may encrypt thedecrypted data and transmit the encrypted data to the requesting clientdevice 210-13. In this fashion, the requesting client device 210-13 maycommunicate with the requested server 260-62. The user 201-03 may entercommands on an SSH terminal executing on the requesting client device210-13, and those commands may be executed on the requested server260-62. Decrypted communications may be recorded by the connectionmanager 250.

The recorded communications may be stored by the connection manager 250,such as in a log. The connection manager 250 may record various detailsabout the connection, such as the time at which the connection wasinitialized, time at which the connection was terminated, user 201-03that requested the connection, client device 210-13 that requested theconnection, the server 260-62 that was connected to, whether a user keyor group key was used to connect to the server 260-62, which key wasused to connect to the server 260-62, and/or any other informationregarding the connection between the requesting client device 210-13 andthe requested server 260-62.

Upon receiving a request to terminate the connection from the requestingclient device 210-13 and/or the requested server 260-62, the connectionmanager 250 may terminate the connection between the devices. Theconnection manager 250 may terminate the connection after apre-determined amount of time has passed. The connection may beterminated after a pre-determined amount of time has passed in which nocommunications occur between the devices.

Although FIG. 2 illustrates an exemplary network arrangement, any numberof client devices 210-13, connection managers 250, and servers 260-62may be used. A cluster of connection manager 250 servers may be used,such as to ensure that the connection manager 250 is available even ifone of the connection manager 250 servers is offline. Multipleconnection managers 250 may be used. A first connection manager 250 maybe accessible via public and private IP addresses, and a secondconnection manager 250 may be accessible via private IP addresses butinaccessible via public IP addresses. The second connection manager 250may thus be more secure, because it is inaccessible via public IPaddresses. The first connection manager 250 may provide access to afirst group of servers and the second connection manager 250 may provideaccess to a second group of servers. The second group of servers may bea group of servers for which security is considered more critical thanthe first group of servers.

FIG. 3 shows an example of a connection manager 250 device according toone or more illustrative aspects of the disclosure. The connectionmanager 250 may be implemented on the computing environment 100. Theelements illustrated as being comprised within the connection manager250 may be implemented within the connection manager 250, may beimplemented in separate devices that are in communication with theconnection manager 250, and/or any combination thereof. As describedabove, the connection manager 250 may manage connections between clientdevices 210-13 and servers 260-62.

The connection manager may comprise one or more client public keys 310.Each client device 210-13 that is configured to access the connectionmanager 250 may have a corresponding client public key 310 stored on theconnection manager 250. When a client device 210-13 requests toestablish a connection with the connection manager 250, thecorresponding client public key 310 may be retrieved and used toauthenticate the requesting client device 210-13.

Stored user account data 330 may indicate which servers 260-62 a user201-03 has access to. For each server 260-62, the stored user accountdata 330 may comprise access rights data for establishing a connectionwith the server 260-62. The access rights data may indicate which portto use when connecting to a server 260-62.

The access rights data may indicate a specific port number, or mayindicate a wildcard, in which case any port may be used to establish aconnection with the server 260-62. The access rights data may indicatean address corresponding to the server 260-62. The address may be asingle IP address, a range of IP addresses, such as a whole subnet, orany other type of address. The access rights data may comprise ausername to use when connecting to the server 260-62, such as “root,” awildcard in which case any username may be used, or any other user. Thestored user account data 330 may be stored in a database or any otherdata storage structure.

Stored group account data 340 may comprise, for each group, a list ofusers in the group and/or a list of servers that the group has accessto. The stored group account data 340 may indicate the roles of eachuser within the group. Roles within a group are further discussed below,with regards to FIGS. 6 and 7. The stored group account data maycomprise, for each server, access rights data, as described above.Although illustrated as separate, all or portions of stored user accountdata 330 and stored group account date 340 may be combined.

The stored user account data 330 and stored group account data 340 maybe used to determine whether a user 201-03 has access rights to a server260-62. After the determination has been made, private keys foraccessing the servers 260-62 may be retrieved from the server privatekeys 320.

Communications recorder 350 may record all or a portion ofcommunications between the client devices 210-13 and the servers 260-62.For each communication between the client devices 210-13 and the servers260-62, the communications recorder 350 may store a timestampcorresponding to the communication and/or data of the communication. Thestored data may be used to replay the data output on a terminal at aclient device 210-13 and/or server 260-62.

An operating system 360 may manage the hardware and software of theconnection manager. The operating system 360 may be a Linux-basedoperating system, Unix-based operating system, Windows operating system,or any other type of operating system. The users and/or groups may bedefined in the operating system 360, in other words, the users 201-03and groups of the connection manager 250 may be system users and systemgroups of the operating system 360. The operating system 360 mayrestrict access to the server private keys 320 to certain users 201-03and/or groups.

The connection manager may comprise one or more server private keys 320.Each of the server private keys 320 may be associated with an individualuser 201-03 or a group. One or more of the server private keys 320 maybe retrieved when the connection manager is establishing a connectionwith one of the servers 260-62.

FIGS. 4A-C are a flow diagram of a method 400 for establishing aconnection between a client device and a server according to one or moreillustrative aspects of the disclosure. In one or more embodiments, themethod 400 or one or more steps thereof may be performed by one or morecomputing devices or entities. Without limitation, all or portions ofthe method 400 may be executed by the client devices 210-13, connectionmanager 250, and/or servers 260-62. All or portions of the method 400may be performed by components of the computing device 100. The method400 or one or more steps thereof may be embodied in computer-executableinstructions that are stored in a computer-readable medium, such as anon-transitory computer-readable medium. Some steps or portions of stepsin the flow diagram may be omitted or changed in order.

At step 405 a user request to establish a session with a server may bereceived. The user request may comprise an IP address of the requestedserver, name of the requested server, and/or any other identifyinginformation corresponding to the requested server. The user request maybe received via a terminal or any other type of graphical user interface(GUI). Although described as a user request, the request may begenerated by a software program, such as software executing on one ofthe client devices 210-13.

The request to establish the session may be received by a client device.Prior to inputting the request, the user may have been authenticated bythe client device. For example, the user may have entered a usernameand/or password to verify their identity.

At step 410 a request to establish the session with the requested servermay be transmitted. The request may be transmitted to a connectionmanager device, such as the connection manager 250. The request maycomprise the IP address and/or other identifying information indicatingthe requested server. The request may comprise information about therequesting client device and/or user accessing the requesting clientdevice. The request may comprise an IP address of the client device,identifying information of the user, and/or any other informationregarding the client device or user.

At step 415 the user and/or client device may be authenticated by theconnection manager. As described above, public key authentication may beused to authenticate the user with the connection manager. Theconnection manager may retrieve a public key corresponding to the userand/or client device, and may use the public key to authenticate theuser and/or client device. The user may be a system user defined in theoperating system of the connection manager. The user's access rights onthe connection manager may be controlled by the operating system basedon the definition of the user within the operating system.

At step 420 a determination may be made as to whether the authenticationwas successful or whether the authentication failed. If theauthentication failed, an error may be returned at step 425. Anadministrator may be notified that an authentication failure occurred.The authentication failure may be logged.

If the authentication is determined to have been successful at step 420,a session may be opened between the requesting client device and theconnection manager. After opening the session, at step 430 adetermination may be made as to whether the user has privileges toaccess to the requested server 260-62. Keys corresponding to the userand stored on the connection manager may be retrieved and examined todetermine whether any of the keys correspond to the requested server. Adatabase, such as the stored user account data 330, may be queried todetermine whether the user has privileges to access the requestedserver.

At step 435 a determination may be made as to whether the user is amember of any groups that provide access to the requested server. Theusers may be a member of one or more groups. Each group may have accessto one or more servers. A list of groups that the user is a member ofmay be determined. Each group in the list may be examined to determinewhether that group has access to the requested server. Stored groupaccount data 340 may be queried to determine which groups the user is amember of and/or which servers each group has access to.

Groups may have various pre-defined roles for members of the group.Users that are members of the same group, but have different assignedroles within the group, may have access to different servers. Forexample, an associate of the group may have access to all servers usedby the group, whereas a guest of the group may have access to a subsetof the servers used by the group. At step 435, the user's role withineach group may be determined, and then the servers that the user hasaccess to through the group may be determined based on the role of theuser.

At step 440 a determination may be made as to whether the user hasaccess privileges to the requested server, either through their ownaccess rights as determined at step 430 or through their groupmembership as determined at step 435. If the user does not have accessto the requested server, an error may be returned at step 425. The errormay indicate that the user does not have access to the requested server.

If the user is determined to have access to the requested server, atstep 445 the user and/or group keys for accessing the server may berequested. The requested keys may be private keys used forauthenticating with the server. The requested keys may be stored by theconnection manager 250.

At step 450 the user's access to the requested keys may be verified. Anoperating system of the connection manager, such as the operating system360, may be configured to restrict access to files. The user and grouprights may be defined in the operating system. Prior to permittingaccess to the requested keys, the operating system may verify thateither the user's system account has access to the requested keys or asystem group that the user is a member of has access to the requestedkeys.

At step 455 a determination may be made as to whether the verificationwas successful. If the operating system does not allow access to therequested keys, a security issue may be flagged at step 460. An errormay be reported, such as to an administrator of the system, indicatingthat a possible security breach has occurred. A request for keys that auser is not permitted to access may indicate that the connection managersoftware has been compromised. Various actions may be performed inresponse to determining that there was a request for keys at step 445that the requesting user does not have access to. The user's account maybe locked, the group may be locked, the connection manager 250 may betemporarily placed in an offline mode, and/or other actions may betaken.

If the verification was determined to be successful at step 455, therequested keys may be retrieved at step 465. A username and/or port forconnecting to the requested server may be retrieved. At step 470 theretrieved keys may be used to open a session, or in other wordsestablish a connection, with the requested server. The connection may beestablished via a port associated with the key used for connecting tothe server. Public key authentication may be used to establish theconnection with the requested server, such as SSH public keyauthentication. In addition to or instead of retrieving keys at step465, a username and/or password may be retrieved. The username and/orpassword may be used to authenticate with the requested server at step470, such as through HTTPS authentication.

At step 475 communications between the client device and the server maybe coordinated, such as by the connection manager 250. Communicationsreceived from the client device may be decrypted. The communications maythen be encrypted and transmitted to the server. Conversely,communications received from the server may be decrypted, and thenencrypted and transmitted to the client device. To the client deviceand/or the server, it may appear that the communications are beingtransmitted directly between the two devices, without any interference.To the user of the client device, the connection may appear to be an SSHsession directly connecting the client device and the server without anyintermediate device.

At step 480 all or a portion of the communications between the clientdevice and the server may be recorded. The recorded communications maycomprise decrypted communications. Timestamps corresponding to each ofthe communications may be recorded. The recording may be performed by atext program recorder, such as a TTY recorder. The recording may be in atext format, video format, or any other suitable format. The recordingmay be searchable. The recording may be used to replay the sessionbetween the client device and the server.

At step 485 a request to terminate the connection between the clientdevice and the server may be received. The request may be received fromthe client device and/or the server. The request may be automaticallygenerated after a pre-determined period of inactivity. Rather thanreceiving a request, the connection manager may determine, after apre-determined period of inactivity, to terminate the connection.

At step 490 the recorded communications between the client device andthe server may be stored. The recorded communications may be stored in adatabase or other data structure. The recorded communications may betransmitted to another device for storage. The recorded communicationsmay be encrypted prior to storage.

At step 495 the connection between the client device and the server maybe terminated. The connection manager may terminate the connection withthe server. An indication that the connection has been terminated may betransmitted to the client and/or the server. A request to establishanother connection may be received from the client. Because the user hasalready been authenticated with the connection manager, if anotherrequest has been received the authentication between the client deviceand the connection manager may be skipped.

FIG. 5 is a flow diagram of a method 500 for configuring a serveraccording to one or more illustrative aspects of the disclosure. In oneor more embodiments, the method 500 or one or more steps thereof may beperformed by one or more computing devices or entities. Withoutlimitation, all or portions of the method 500 may be executed by theconnection manager 250 and/or servers 260-62. All or portions of themethod 500 may be performed by components of the computing device 100.The method 500 or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable medium. Some steps orportions of steps in the flow diagram may be omitted or changed inorder.

At step 510 a server may be connected to a network and/or activated. Theserver may comprise one of the servers 260-62. The server may be locatedin a data center. The server may be a Linux server, Unix server, Windowsserver, or any other type of server.

At step 520 configuration information corresponding to the server may beretrieved. The configuration information may indicate which users and/orgroups are authorized to access the server. The configurationinformation may indicate access rights for the users and/or groups. Theconfiguration information may be retrieved from a database storingconfiguration information for the network.

At step 530 the configuration information may be used to determine theusers and/or groups authorized to access the server. The accessprivileges of each user and/or group may also be determined, such aswhether the user or group has root privileges.

At step 540 keys may be created for the users and groups authorized toaccess the server. The keys may be generated via SSH commands, orthrough other methods. Although step 540 describes creating keys, thekeys for the users and/or groups authorized to access the server mayhave previously been created. Once a private key has been created for agroup, a public key corresponding to that private key may be stored oneach server that the group has access to. Similarly, once a private keyhas been created for a user, a public key corresponding to that privatekey may be stored on each server that the user has access to.

At step 550 public keys corresponding to the users and groups may bestored on the server. At step 560 private keys corresponding to theusers and groups may be stored on a connection manager.

At step 570 the server may be configured to provide the accessprivileges defined in the configuration for each user and group. Systemsusers may be defined in the server based on the configuration. Theconnection manager may be configured based on the configuration. Theconnection manager may be configured to indicate which groups and/orusers have access to the server.

FIG. 6 shows an example of group roles according to one or moreillustrative aspects of the disclosure. Each user may be assigned one ormore roles within a group. Users having different roles within the groupmay be permitted to perform different actions pertaining to the group.FIG. 6 provides one example of a hierarchy of roles within a group, butother configurations may be used.

One or more group owners 610 may be permitted to perform alladministrative actions corresponding to the group. The group owners 610may add group owners 610 and/or delete group owners 610. The groupowners 610 may assign and/or remove roles from any users of the group.For example, a group owner 610 may assign a gatekeeper 620 role to oneof the users of the group.

The gatekeepers 620 may add and/or remove associates 640 and/or guests650 from the group. A list of associates 640 and/or guests 650 for thegroup may be maintained, such as by the connection manager 250. Thegatekeepers 620 may add or remove users from the list, and may store anindication in the list of whether each user is an associate 640 or guest650. For each guest 650, the gatekeepers 620 may determine which serversthe guest 650 has access to. Each guest 650 may be given access to asubset of the set of servers that the associates 640 of the group canaccess. Different guests 650 of the same group may be given access todifferent servers.

The server managers 630 may manage a list of servers that the group canaccess. The server managers 630 may add and/or remove servers from thelist of servers that the group can access. The server managers 630 maystore an indication in the list, for each server, of a port to accessthe server and/or a user to log into the server as. If a server manager630 removes a server from the list of servers, each associate 640 andguest 650 may lose access to the removed server through the group.

Associates 640 may have access to the servers associated with the group.The associates 640 may have access to each of the servers in the serverlist managed by the server managers 630. Associates 640 might not bepermitted to modify the rights of the group. Guests 650 may have accessto a subset of the servers corresponding to the group. The servermanagers 630 may determine which servers the guests 650 have access to.

Users in a group may have a single role or may have multiple roles. Forexample a single user may be a group owner 610, a gatekeeper 620, aserver manager 630, and an associate 640.

FIGS. 7A and 7B are a flow diagram of a method 700 for modifying accessrights according to one or more illustrative aspects of the disclosure.In one or more embodiments, the method 700 or one or more steps thereofmay be performed by one or more computing devices or entities. Withoutlimitation, all or portions of the method 700 may be executed by theclient devices 210-13 and/or the connection manager 250. All or portionsof the method 700 may be performed by components of the computing device100. The method 700 or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable medium. Some steps orportions of steps in the flow diagram may be omitted or changed inorder.

At step 705 a user request may be received. The user request maycomprise a command to modify a target user's access rights. The userrequest may be received at a client device, such as one of the clientdevices 210-13. The user request may comprise a username and/or otheridentifying information of the target user. The user request maycomprise a group name and/or other identifying information correspondingto the group. The user request may indicate the command to be performed.The command may comprise a request to add the target user to the group,remove the target user from the group, and/or change the target user'srole within the group.

At step 710 the command may be transmitted to a connection manager, suchas the connection manager 250. At step 715 the requesting user may beauthenticated with the connection manager. Similar actions may beperformed at step 715 as those described above in regards to step 415.At step 720 a determination may made as to whether the authenticationwas successful. If the authentication was not successful, at step 725 anerror may be returned.

If the authentication was successful at step 720, at step 730 averification may be performed to determine whether the requesting userhas access rights to perform the command. The role of the requestinguser within the group may be determined. The requesting user may bedetermined to be a group owner 610, gatekeeper 620, server manager 630,associate 640, and/or guest 650. Whether the requesting user has rightsto perform the requested action may be determined based on the role orroles of the requesting user within the group.

At step 735 the verification may be determined to be successful or tohave failed. If the command is a request to add or remove the targetuser from the group, but the requesting user is not assigned a role thatpermits adding or removing users from the group, the verification mayfail. If the verification fails, an error may be returned at step 725.

If the verification is successful at step 735 because the requestinguser has sufficient privileges to perform the command, a system levelverification may be performed at step 740.

At step 740 an operating system may verify that the user has systemlevel access rights to perform the command. An operating system of theconnection manager, such as the operating system 360, may be configuredto restrict access to commands. The user and group rights may be definedin the operating system. Prior to executing the command, the operatingsystem may verify that either the user's system account has access tothe command or a system group that the user is a member of has access tothe command.

Access to all or a portion of executable code corresponding to thecommand may be controlled by the operating system. The executable codemay be stored in one or more files. Access to the one or more files maybe controlled by the operating system. The operating system may grantaccess to the executable code after determining that a system groupcorresponding to the user or the user's system account has access to theexecutable code.

At step 745 a determination may be made as to whether the verificationwas successful. If the verification fails and the operating system doesnot allow access to the command, a security issue may be flagged at step750. An error may be reported, such as to an administrator of thesystem, indicating that a possible security breach has occurred. Theverification being denied at step 745 may indicate that the connectionmanager software has been compromised. Various actions may be performedin response to determining that the verification was denied at step 745.The user's account may be locked, the group may be locked, theconnection manager 250 may be temporarily placed in an offline mode,and/or other actions may be taken.

After successfully verifying that the user is authorized to execute thecommand, the command may be executed at step 755. At step 755 the targetuser's group privileges may be modified. An indication that themodification has been performed may be transmitted and/or displayed tothe user. Method 700 describes modifying the group access rights of atarget user, but it should be understood that similar steps may beperformed for modifying the list of servers accessible by the group,and/or for performing any other administrative task corresponding to thegroup.

While the above-described implementations have been described and shownwith reference to particular steps performed in a particular order, itwill be understood that these steps may be combined, sub-divided, orre-ordered without departing from the teachings of the presenttechnology. At least some of the steps may be executed in parallel or inseries. Accordingly, the order and grouping of the steps is not alimitation of the present technology.

It should be expressly understood that not all technical effectsmentioned herein need to be enjoyed in each and every embodiment of thepresent technology.

Modifications and improvements to the above-described implementations ofthe present technology may become apparent to those skilled in the art.The foregoing description is intended to be exemplary rather thanlimiting. The scope of the present technology is therefore intended tobe limited solely by the scope of the appended claims.

What is claimed is:
 1. A method comprising: receiving, from a clientdevice, a request to establish a connection with a server, wherein therequest indicates a user of the client device; authenticating, using apublic key corresponding to the client device, the user; determiningwhether the user has privileges to access the server; after determiningthat the user is authorized to access the server, retrieving a privatekey corresponding to the server; and establishing, using the privatekey, a connection to the server.
 2. The method of claim 1, furthercomprising coordinating communications between the client device and theserver.
 3. The method of claim 2, further comprising recording thecommunications between the client device and the server.
 4. The methodof claim 3, further comprising: storing the recorded communicationsbetween the client device and the server; and outputting, via a userinterface, the stored communications.
 5. The method of claim 2, whereincoordinating communications between the client device and the servercomprises: decrypting communications from the client device; encryptingthe decrypted communications, thereby generating encrypted data; andtransmitting the encrypted data to the server.
 6. The method of claim 2,wherein coordinating communications between the client device and theserver further comprises: decrypting communications from the server;encrypting the decrypted communications, thereby generating encrypteddata; and transmitting the encrypted data to the client device.
 7. Themethod of claim 1, further comprising: retrieving an indication of oneor more groups corresponding to the user; and determining whether theone or more groups are authorized to access the server.
 8. The method ofclaim 7, wherein the private key comprises a private key correspondingto a group of the one or more groups.
 9. The method of claim 1, furthercomprising: receiving, from the client device, a request to execute acommand to modify a second user's role in a group; determining whetherthe user has privileges to execute the command; and after determiningthat the user has privileges to execute the command, executing thecommand, thereby modifying the second user's role in the group.
 10. Themethod of claim 1, wherein the private key is accessible by a pluralityof users.
 11. The method of claim 1, further comprising verifying, by anoperating system, that the user is a member of a group that has accessto the private key corresponding to the server.
 12. The method of claim11, wherein the group comprises a system group of the operating system.13. An apparatus comprising: at least one processor; and a memory devicecomprising executable instructions, which, when executed by the at leastone processor, cause the apparatus to: receive, from a client device, arequest to establish a connection with a server, wherein the requestindicates a user of the client device; authenticate, using a public keycorresponding to the client device, the user; determine whether the userhas privileges to access the server; after determining that the user isauthorized to access the server, retrieve a private key corresponding tothe server; and establish, using the private key, a connection to theserver.
 14. The apparatus of claim 13, wherein the instructions thatcause the apparatus to determine whether the user has privileges toaccess the server comprise instructions that cause the apparatus todetermine, based on data stored by the apparatus, that the user isauthorized to access the server.
 15. The apparatus of claim 13, whereinthe instructions further cause the apparatus to: decrypt communicationsfrom the server; encryp the decrypted communications, thereby generatingencrypted data; and transmit the encrypted data to the client device.16. The apparatus of claim 13, wherein the instructions further causethe apparatus to: decrypt communications from the client device; encryptthe decrypted communications, thereby generating encrypted data; andtransmit the encrypted data to the server.
 17. A system comprising: afirst computing device, a second computing device, and a third computingdevice, wherein the first computing device comprises: at least oneprocessor; and a memory device comprising executable instructions,which, when executed by the at least one processor of the firstcomputing device, cause the first computing device to transmit, to thesecond computing device and based on a private key corresponding to thesecond computing device, a request to establish a communication sessionwith the third computing device, wherein the second computing devicecomprises: at least one processor; and a memory device comprisingexecutable instructions, which, when executed by the at least oneprocessor of the second computing device, cause the second computingdevice to: receive the request to establish the communication sessionwith the third computing device; authenticate, based on a public keycorresponding to the private key of the first computing device, thefirst computing device; determine whether the first computing device hasprivileges to access the third computing device; after determining thatthe first computing device has privileges to access the third computingdevice, retrieve a private key corresponding to the third computingdevice; and establish, using the private key, the communication sessionwith the third computing device, and wherein the third computing devicecomprises: at least one processor; and a memory device comprisingexecutable instructions, which, when executed by the at least oneprocessor of the third computing device, cause the third computingdevice to: receive, from the second computing device, a request toestablish the communication session; and authenticate, based on a publickey corresponding to the private key of the second computing device, thesecond computing device.
 18. The system of claim 17, wherein theexecutable instructions, when executed by the at least one processor ofthe second computing device, cause the second computing device to:coordinate communications between the first computing device and thethird computing device; and record the communications between the firstcomputing device and the third computing device.
 19. The system of claim17, wherein the executable instructions, when executed by the at leastone processor of the second computing device, cause the second computingdevice to determine, based on data stored by the second computingdevice, that the first computing device has privileges to access thethird computing device.
 20. The system of claim 17, wherein theexecutable instructions, when executed by the at least one processor ofthe second computing device, cause the second computing device to:decrypt communications from the first computing device; encrypt thedecrypted communications, thereby generating encrypted data; andtransmit the encrypted data to the third computing device.